fuzz: add a demux API fuzz target

89cc3114 · Shaleen Jain · 583b4b6e · 89cc3114 · 583b4b6e · 89cc3114
Commit 89cc3114 authored Aug 27, 2017 by Shaleen Jain
--- a/test/fuzz/Makefile.am
+++ b/test/fuzz/Makefile.am
@@ -12,8 +12,8 @@ noinst_HEADERS = \
 	fuzzer.h

 check_PROGRAMS = \
-	fuzz_me
+	libvlc_demux_fuzzer

-fuzz_me_SOURCES = \
-	fuzz_me.cpp \
+libvlc_demux_fuzzer_SOURCES = \
+	libvlc_demux_fuzzer.cpp \
 	fuzzer_common.c
--- a/test/fuzz/fuzz_me.cpp
+++ b/test/fuzz/fuzz_me.cpp
-#include <stdint.h>
-#include <stddef.h>
-
-extern "C" {
-#include "fuzzer.h"
-}
-
-int FuzzerInitialize(int *argc, char ***argv) {
-    return 0;
-}
-
-bool FuzzMe(const uint8_t *Data,
-            size_t DataSize) {
-  return DataSize >= 3 &&
-      Data[0] == 'F' &&
-      Data[1] == 'U' &&
-      Data[2] == 'Z' &&
-      Data[3] == 'Z';  // :‑<
-}
-
-int FuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  FuzzMe(Data, Size);
-  return 0;
-}
--- a/test/fuzz/fuzzer.h
+++ b/test/fuzz/fuzzer.h
@@ -21,6 +21,8 @@
 #ifndef FUZZER_H
 #define FUZZER_H

+extern int disable_avformat;
+
 int FuzzerTestOneInput(const uint8_t *buf, size_t len);
 int FuzzerInitialize(int *argc, char ***argv);
 void FuzzerCleanup(void);

--- a/test/fuzz/fuzzer_common.c
+++ b/test/fuzz/fuzzer_common.c
@@ -24,7 +24,9 @@

 #include "fuzzer.h"

+int disable_avformat = 0;
 static struct option long_options[] = {
+    {"disable-avformat", no_argument,       &disable_avformat, 1},
    {0,                  0,                 0,                 0}
 };


--- a/test/fuzz/libvlc_demux_fuzzer.cpp
+++ b/test/fuzz/libvlc_demux_fuzzer.cpp
+/*****************************************************************************
+ * libvlc_demux_fuzzer.cpp: fuzz target for demux modules
+ *****************************************************************************
+ * Copyright (C) 2017 Shaleen Jain <shaleen.jain95@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
+ *****************************************************************************/
+
+/*
+ * Fuzz the various demux modules.
+ *
+ * The avformat demux module can be disabled since its
+ * upstream project ffmpeg is already fuzz tested.
+ *
+ * libvlc_demux_fuzzer --disable-avformat
+ */
+
+#include <vlc/libvlc.h>
+
+#include <vlc_common.h>
+#include <vlc_stream.h>
+#include <vlc_demux.h>
+#include <vlc_meta.h>
+#include <vlc_modules.h>
+#include <assert.h>
+
+#include "../../lib/libvlc_internal.h"
+
+extern "C" {
+#include "fuzzer.h"
+}
+
+static libvlc_instance_t *p_libvlc;
+
+int FuzzerInitialize(int *argc, char ***argv) {
+
+    setenv("VLC_PLUGIN_PATH", "../../modules", 1);
+    p_libvlc = libvlc_new(0, NULL);
+    assert(p_libvlc != NULL);
+
+    /* Disable all logging for increased performance*/
+    libvlc_log_unset(p_libvlc);
+    return 0;
+}
+
+int pf_send_stub ( es_out_t *out, es_out_id_t *es, block_t *p_block ) {
+    block_Release( p_block );
+    return VLC_SUCCESS;
+}
+
+es_out_id_t * pf_add_stub( es_out_t *out, const es_format_t *fmt ) {
+    void *es = malloc(1);
+    return (es_out_id_t*) es;
+}
+void pf_del_stub( es_out_t *out, es_out_id_t *es ) {
+    free( es );
+}
+
+int pf_control_stub ( es_out_t *out, int i_query, va_list args ) { return VLC_SUCCESS; }
+void pf_destroy_stub ( es_out_t *out ) {}
+
+unsigned demux_TestAndClearFlags( demux_t *demux, unsigned flags )
+{
+    unsigned i_update;
+    if ( demux_Control( demux, DEMUX_TEST_AND_CLEAR_FLAGS, &i_update ) == VLC_SUCCESS )
+        return i_update;
+    unsigned ret = demux->info.i_update & flags;
+    demux->info.i_update &= ~flags;
+    return ret;
+}
+
+void demux_GetMeta(demux_t *demux) {
+    vlc_meta_t *p_meta = vlc_meta_New();
+    if( unlikely(p_meta == NULL) )
+        return;
+
+    input_attachment_t **attachment;
+    int i_attachment;
+
+    demux_Control( demux, DEMUX_GET_META, p_meta );
+    demux_Control( demux, DEMUX_GET_ATTACHMENTS, &attachment, &i_attachment );
+
+    vlc_meta_Delete( p_meta );
+}
+
+int FuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+
+    // Create an input stream
+    stream_t *stream = vlc_stream_MemoryNew(p_libvlc->p_libvlc_int,
+            const_cast<uint8_t *>(Data), Size, true);
+    assert(stream != NULL);
+
+    es_out_t es_out = {
+            .pf_add = pf_add_stub,
+            .pf_send = pf_send_stub,
+            .pf_del = pf_del_stub,
+            .pf_control = pf_control_stub,
+            .pf_destroy = pf_destroy_stub,
+            .p_sys = NULL
+    };
+
+    demux_t *demux = demux_New(VLC_OBJECT(p_libvlc->p_libvlc_int), "","", stream, &es_out);
+
+    if(demux != NULL) {
+
+        /* Do not fuzz avformat(ffmpeg) demux*/
+        if( disable_avformat && strcmp(module_get_name(demux->p_module, false), "Avformat") )
+        {
+            demux_Delete( demux );
+            return 0;
+        }
+
+        int i_ret;
+        do {
+            i_ret = demux_Demux( demux );
+
+            if( demux_TestAndClearFlags( demux, INPUT_UPDATE_TITLE_LIST ) )
+                demux_Control( demux, DEMUX_GET_TITLE_INFO );
+
+            if( demux_TestAndClearFlags( demux, INPUT_UPDATE_META ) )
+                demux_GetMeta( demux );
+
+            int seekpoint = 0;
+            double position = 0.0;
+            mtime_t time = 0;
+            mtime_t length = 0;
+
+            /* Call controls for increased code coverage */
+            demux_Control( demux, DEMUX_GET_SEEKPOINT, &seekpoint );
+            demux_Control( demux, DEMUX_GET_POSITION, &position );
+            demux_Control( demux, DEMUX_GET_TIME, &time );
+            demux_Control( demux, DEMUX_GET_LENGTH, &length );
+
+        } while( i_ret == VLC_DEMUXER_SUCCESS );
+
+        demux_Delete( demux );
+    } else {
+        vlc_stream_Delete(stream);
+    }
+
+    return 0;
+}
+
+void FuzzerCleanup(void) {
+    libvlc_release(p_libvlc);
+}